---
search:
  exclude: true
---
# unattendedupgrades Setup 

![](0.png)

In this tutorial we're going to setup debian unattended upgrades so that packages are automatically updated on the system without needing any external help. 

## **Initial Setup**
    
    
    [ 10.8.0.2/24 ] [ home ] [~]
    → apt install unattended-upgrades apt-listchanges -y
    
    [ 10.8.0.2/24 ] [ home ] [~]
    → dpkg-reconfigure -plow unattended-upgrades
    
    	
    

![](1.png)

Then you can run the following command to run the unattended upgrade manually:
    
    
    [ 10.8.0.2/24 ] [ home ] [~]
    → unattended-upgrade -d
    Starting unattended upgrades script
    Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
    Initial blacklist:
    Initial whitelist (not strict):
    Marking not allowed  with -32768 pin
    Marking not allowed  with -32768 pin
    Marking not allowed  with -32768 pin
    Applying pinning: PkgFilePin(id=6, priority=-32768)
    Applying pin -32768 to package_file: 
    Applying pinning: PkgFilePin(id=5, priority=-32768)
    Applying pin -32768 to package_file: 
    Applying pinning: PkgFilePin(id=4, priority=-32768)
    Applying pin -32768 to package_file: 
    Using (^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$) regexp to find kernel packages
    Using (^linux-.*-5\.10\.0\-20\-amd64$|^linux-.*-5\.10\.0\-20$|^kfreebsd-.*-5\.10\.0\-20\-amd64$|^kfreebsd-.*-5\.10\.0\-20$|^gnumach-.*-5\.10\.0\-20\-amd64$|^gnumach-.*-5\.10\.0\-20$|^.*-modules-5\.10\.0\-20\-amd64$|^.*-modules-5\.10\.0\-20$|^.*-kernel-5\.10\.0\-20\-amd64$|^.*-kernel-5\.10\.0\-20$|^linux-.*-5\.10\.0\-20\-amd64$|^linux-.*-5\.10\.0\-20$|^kfreebsd-.*-5\.10\.0\-20\-amd64$|^kfreebsd-.*-5\.10\.0\-20$|^gnumach-.*-5\.10\.0\-20\-amd64$|^gnumach-.*-5\.10\.0\-20$|^.*-modules-5\.10\.0\-20\-amd64$|^.*-modules-5\.10\.0\-20$|^.*-kernel-5\.10\.0\-20\-amd64$|^.*-kernel-5\.10\.0\-20$) regexp to find running kernel packages
    pkgs that look like they should be upgraded:
    Fetched 0 B in 0s (0 B/s)
    fetch.run() result: 0
    Packages blacklist due to conffile prompts: []
    No packages found that can be upgraded unattended and no pending auto-removals
    Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2023-02-15 21:00:54
    	
    

Then you can check if it works with apt:
    
    
    [ 10.8.0.2/24 ] [ home ] [~]
    → apt upgrade -y
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    Calculating upgrade... Done
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    	
    

no packages to be changed, which means the packages are up to date.

OPTIONAL: To make sure your server reboots every day to refresh the services (because the service stays the same even when packages are upgraded, until its restarted) do so with cron:
    
    
    crontab -e
    
    0 0 * * * reboot												#restart the server everyday at midnight
    #0 0 * * * systemctl isolate rescue; systemctl isolate default	#forcefully restart all systemd services (careful it may break services)